I'm sure there's probably some blurb buried deep somehwere in a "You passed the JNCIS-SEC test, so you should know this!" document, but honestly, I've always attached my host-inbound-traffic directly to my interfaces, not to the zones, and I've never run into this issue before.

Re: ASA to SRX golden configuration

Host-inbound-traffic under a specific interface always overrides the zone configuration, but having it just configured in a zone Should Just Work™ just as well.

On an unrelated side note, there are extra services that are ONLY available when you configure under an interface - such as dhcp, bootp etc.

As for the original problem - I would disable "establish-tunnels immediately" on the SRX650. Cisco defaults to something equivalant to "establish tunnels on-traffic" (eg: something has to match the crypto-map before it will trigger IKE) and this can cause a synchronisation issue where both gateways are trying to initiate a tunnel to each other, and this WILL fail repeatedly. As a rule of thumb, I always set up SPOKES to connect back to the hub, with "establish-tunnels immediately" on the spoke side and no configuration on the hub.

Also I notice in your IKE Gateway configuration you specify a local-identity. This shouldn't be required in Main mode, so remove it from the configuration just in case it is interfering with anything.

Re: ASA to SRX golden configuration

I took another look at this (tried your suggestion as well keithr - same result thou...) I have several interfaces on the srx and found out that traffic isn't entering the .455 interface but rather .15 (same physical interface though, ge-0/0/0) and they belong to the same security zone, untrust. When that became clear to me, I added a policy for untrust to untrust which permits ping, and voilà, the pings are suddenly answered... This might explain a lot I guess. I've just added "application any" to the untrust to untrust rule and will se if the VPN's act more stable than before.

Its probably useful to let readers know that at time of writing Cisco ASA does *not* support Route-Based VPN unlike the SRX.

The setup i'm using is route-based on SRX and of course policy-based on ASA. I wanted to bring up the topic of proxy IDs.

My initial understanding was these were required and should align to 'crypto-map' on Cisco end, but in my setup its working without Proxy-id and I'm not using Traffic-Selectors either. I suspect this is because we're using route-based vpn on SRX side. Further input from the expert would be most welcome.